wok-next diff sshttp/description.txt @ rev 21127
Update xarchiver (0.5.4.14), xcursorgen (1.0.7)
author | Aleksej Bobylev <al.bobylev@gmail.com> |
---|---|
date | Fri Jan 18 11:29:09 2019 +0200 (2019-01-18) |
parents | |
children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/sshttp/description.txt Fri Jan 18 11:29:09 2019 +0200 1.3 @@ -0,0 +1,133 @@ 1.4 +sshttp - hiding SSH servers behind HTTP 1.5 +======================================= 1.6 + 1.7 +![sshttp](https://github.com/stealth/sshttp/blob/master/sshttp.jpg) 1.8 + 1.9 +[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9MVF8BRMX2CWA) 1.10 + 1.11 +# 0. Intro 1.12 + 1.13 +In case your FW policy forbids __SSH__ access to the DMZ or internal 1.14 +network from outside, but you still want to use ssh on machines 1.15 +which only have one open port, e.g. __HTTP__, you can use `sshttpd`. 1.16 + 1.17 +_sshttpd_ can multiplex the following protocol pairs: 1.18 + 1.19 +* SSH/HTTP 1.20 +* SSH/HTTPS 1.21 +* SSH/SMTP (without SMTP multiline banners) 1.22 +* HTTPS SNI multiplexing 1.23 +* SSH/HTTPS with SNI multiplexing 1.24 + 1.25 +# 1. Build 1.26 + 1.27 +Be sure you run recent Linux kernel and install `nf-conntrack` as well 1.28 +as `libcap` and `libcap-devel` if you want to use the capability feature. 1.29 + 1.30 +``` 1.31 +$ make 1.32 +``` 1.33 + 1.34 +There is a new `splice` branch inside the git. `git checkout splice` 1.35 +before `make`, if you want to test this new branch. It implements 1.36 +zero-copy in terms of the __splice(2)__ system call which has a performance 1.37 +benefit since it avoids copying the network data between user and kernel 1.38 +land back and forth (__read()/write()__), which could also just be spliced kernel-internally 1.39 +at the "extra cost" of two additional pipe descriptors per connection. 1.40 + 1.41 +# 2. Setup for single host 1.42 + 1.43 +This paragraph describes the setup where all services run on the same host 1.44 +as _sshttpd_ itself. The muxing happens to the same IP/IP6 address that 1.45 +the outside connects arrive to, so basically just the ports are changing per 1.46 +detected service. 1.47 + 1.48 +_sshttpd_ is an easy to use OSI-Layer5 switching daemon. It runs 1.49 +transparently on __HTTP(S)__ port (`-L` switch, default 80) and decides 1.50 +on incoming connections whether this is __SSH__ or __HTTP(S)__ traffic. 1.51 +If its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT` 1.52 +(`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default 1.53 +22) respectively. 1.54 + 1.55 +You need to edit `nf-setup` script to match your network device and `$PORTS` (`22` and `8080` 1.56 +are just fine for the SSH/HTTP case) and run it to install the proxy rules. 1.57 +Your _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`. 1.58 +Thats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch 1.59 +your traffic destinated to TCP port 80: 1.60 + 1.61 +``` 1.62 +# ./nf-setup 1.63 +Using network device eth0 1.64 +Setting up port 22 ... 1.65 +Setting up port 8080 ... 1.66 +# ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty 1.67 +sshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot. 1.68 +# 1.69 +``` 1.70 + 1.71 +If you want to mux __SMTP__ with _sshttpd_, just give `25` as `-L` parameter, `2525` 1.72 +as `-H` parameter, and setup your smtp daemon to listen on 2525. Then 1.73 +edit the `nf-setup` script to match these ports. In the `Makefile`, change the 1.74 +`SMTP_DOMAIN` and `SSH_BANNER` to your needs (`SSH_BANNER` must match exactly 1.75 +yours of the running _sshd_). 1.76 +SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server. 1.77 + 1.78 +When muxing IPv6 connections, the setup is basically the same; just use the `nf6-setup` 1.79 +script and invoke _sshttpd_ with `-6`. 1.80 + 1.81 +# 3. Transparent proxy setup 1.82 + 1.83 +You can run _sshttpd_ also on your gateway machine and transparently proxy/mux 1.84 +all of your __HTTP(S)/SSH__ traffic to your internal LAN. To do so, run _sshttpd_ with 1.85 +`-T` and use `nf-tproxy` rather than `nf-setup` as a template for your FW setup. 1.86 +Carefully read `nf-tproxy` so you dont lock yourself out of the network and all 1.87 +the network devices and IP addresses match your setup. 1.88 + 1.89 +# 4. SNI Mux 1.90 + 1.91 +With _sshttpd_ you can also mux based on the HTTPS SNI. Just set up your 1.92 +`nf-setup` to contain the SNI ports (there are already samples) and invoke 1.93 +_sshttpd_ with `-N name:port` e.g. `sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350` 1.94 +to hide a sshd on 22 and a [drops setup](https://github.com/stealth/drops) on port 7350 behind port 443, and at the same time serving 1.95 +your webserver from port 4433 to be visible to outside on port 443. 1.96 +This works because _drops_ sets the SNI of `drops.v2` in outgoing connects. 1.97 +Multiple `-N` switches are allowed so you could mux a lot of services 1.98 +via SNI. The ports/services must run all on the same machine where the original request 1.99 +was destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via `-S 0`. 1.100 + 1.101 +# 5. Misc 1.102 + 1.103 +You dont need to patch any of your ssh/web/smtp client or server software. It 1.104 +works as is. _sshttpd_ runs only on Linux and needs `IP_TRANSPARENT` support. 1.105 +It would work without, but by using `IP_TRANSPARENT` it is possible to even 1.106 +have unmodified syslogs, e.g. the original source IP/port of incoming connections 1.107 +is passed as-is to the SSH/HTTP/SMTP servers. 1.108 + 1.109 +Make sure the `nf_conntrack` and `nf_conntrack_ipv4` or `nf_conntrack_ipv6` modules are loaded. 1.110 +_sshttpd_ is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing 1.111 +measurement. 1.112 +_sshttpd_ has small footprint and was optimized for speed so it also runs 1.113 +on heavily loaded web servers. 1.114 + 1.115 +Since version 0.24, _sshttpd_ also supports multiple CPU cores. Unless 1.116 +`-n 1` is used as switch, _sshttpd_ binds one thread per CPU core, 1.117 +to better exploit the hardware if running on heavily used web servers. 1.118 +It still runs this fixed number of threads no matter how many 1000s connection 1.119 +it handles at the same time. 1.120 +_sshttpd_ runs as `nobody` user inside a `chroot()` (configurable via `-U` and `-R` switch) 1.121 +if compiled with `USE_CAPS`. It can also distinguish between __SSH__ and __SSL__ 1.122 +sessions, you just have to use an `LOCAL_PORT (-L)` of 443 or 4433 and change 1.123 +the `HTTP_PORT` in the `nf-setup` script to match your webservers __HTTPS__ port. 1.124 +You cannot mix HTTP/SSH and HTTPS/SSH in one _sshttpd_ instance but you can 1.125 +run two sshttpd's to reach that goal: one on `LOCAL_PORT 80` and one on 1.126 +`LOCAL_PORT 443`. 1.127 + 1.128 +# 6. Alternative docu 1.129 + 1.130 +As per 2017 it seems you have to provide alternative facts for everything, 1.131 +so here are some good writeups from other people for better understanding or in case my 1.132 +description was too brief: 1.133 + 1.134 +* [by stalkr](http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html) 1.135 +* [by Will Rouesnel](http://blog.wrouesnel.com/articles/Setting%20up%20sshttp/) 1.136 +* [by Yves](http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port)